| 0 |
| url |
VCID-6cep-dhsy-qkhg |
| vulnerability_id |
VCID-6cep-dhsy-qkhg |
| summary |
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
We discovered a DOM Clobbering vulnerability in Vite when building scripts to `cjs`/`iife`/`umd` output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.
Note that, we have identified similar security issues in Webpack: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/vitejs/vite |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/vitejs/vite |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
| reference_url |
https://scnps.co/papers/sp23_domclob.pdf |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H |
|
| 1 |
| value |
4.8 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:57:07Z/ |
|
|
| url |
https://scnps.co/papers/sp23_domclob.pdf |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/vite@4.5.5 |
| purl |
pkg:npm/vite@4.5.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.5.5 |
|
| 2 |
| url |
pkg:npm/vite@5.1.8 |
| purl |
pkg:npm/vite@5.1.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.1.8 |
|
| 3 |
|
| 4 |
|
| 5 |
| url |
pkg:npm/vite@5.3.6 |
| purl |
pkg:npm/vite@5.3.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.3.6 |
|
| 6 |
| url |
pkg:npm/vite@5.4.6 |
| purl |
pkg:npm/vite@5.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.4.6 |
|
|
| aliases |
CVE-2024-45812, GHSA-64vr-g452-qvp3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6cep-dhsy-qkhg |
|
| 1 |
| url |
VCID-b2m1-kmdu-ykgt |
| vulnerability_id |
VCID-b2m1-kmdu-ykgt |
| summary |
Vite's `server.fs` settings were not applied to HTML files
Any HTML files on the machine were served regardless of the `server.fs` settings. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-58752, GHSA-jqfw-vq24-v9c3
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-b2m1-kmdu-ykgt |
|
| 2 |
| url |
VCID-ccy3-s9ra-uub9 |
| vulnerability_id |
VCID-ccy3-s9ra-uub9 |
| summary |
Vite's `server.fs.deny` is bypassed when using `?import&raw`
The contents of arbitrary files can be returned to the browser. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://github.com/vitejs/vite |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/vitejs/vite |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx |
| reference_id |
GHSA-9cwx-2883-4wfx |
| reference_type |
|
| scores |
| 0 |
| value |
4.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N |
|
| 1 |
| value |
5.3 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-18T13:59:58Z/ |
|
|
| url |
https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:npm/vite@4.5.5 |
| purl |
pkg:npm/vite@4.5.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.5.5 |
|
| 2 |
| url |
pkg:npm/vite@5.1.8 |
| purl |
pkg:npm/vite@5.1.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.1.8 |
|
| 3 |
|
| 4 |
|
| 5 |
| url |
pkg:npm/vite@5.3.6 |
| purl |
pkg:npm/vite@5.3.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.3.6 |
|
| 6 |
| url |
pkg:npm/vite@5.4.6 |
| purl |
pkg:npm/vite@5.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 3 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 4 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 5 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.4.6 |
|
|
| aliases |
CVE-2024-45811, GHSA-9cwx-2883-4wfx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ccy3-s9ra-uub9 |
|
| 3 |
|
| 4 |
| url |
VCID-gdv1-n78f-tud7 |
| vulnerability_id |
VCID-gdv1-n78f-tud7 |
| summary |
Websites were able to send any requests to the development server and read the response in vite
Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.
> [!WARNING]
> This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
|
| 2 |
| url |
pkg:npm/vite@6.0.9 |
| purl |
pkg:npm/vite@6.0.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 1 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 2 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 3 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 4 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 5 |
| vulnerability |
VCID-p1jn-hqj6-j7ca |
|
| 6 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 7 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 8 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@6.0.9 |
|
|
| aliases |
CVE-2025-24010, GHSA-vg6x-rcgg-rjx6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gdv1-n78f-tud7 |
|
| 5 |
| url |
VCID-gefx-xng3-k3f4 |
| vulnerability_id |
VCID-gefx-xng3-k3f4 |
| summary |
Vite middleware may serve files starting with the same name with the public directory
Files starting with the same name with the public directory were served bypassing the `server.fs` settings. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-58751, GHSA-g4jq-h2w9-997c
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gefx-xng3-k3f4 |
|
| 6 |
|
| 7 |
| url |
VCID-mbnq-b7vj-jyhb |
| vulnerability_id |
VCID-mbnq-b7vj-jyhb |
| summary |
Improper Access Control
Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server does not discriminate; a block list bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/vite@4.5.2 |
| purl |
pkg:npm/vite@4.5.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-vyjc-1f5b-p7cs |
|
| 11 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.5.2 |
|
| 1 |
|
| 2 |
| url |
pkg:npm/vite@5.0.12 |
| purl |
pkg:npm/vite@5.0.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-vyjc-1f5b-p7cs |
|
| 11 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.0.12 |
|
| 3 |
| url |
pkg:npm/vite@5.1.0-beta.0 |
| purl |
pkg:npm/vite@5.1.0-beta.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.1.0-beta.0 |
|
|
| aliases |
CVE-2024-23331, GHSA-c24v-8rfc-w8vw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mbnq-b7vj-jyhb |
|
| 8 |
| url |
VCID-n143-1uka-s3eg |
| vulnerability_id |
VCID-n143-1uka-s3eg |
| summary |
Use of Incorrectly-Resolved Name or Reference
Vite provides frontend tooling. Prior to versions 2.9.16, 3.2.7, 4.0.5, 4.1.5, 4.2.3, and 4.3.9, Vite Server Options (`server.fs.deny`) can be bypassed using double forward-slash (//) allows any unauthenticated user to read file from the Vite root-path of the application including the default `fs.deny` settings (`['.env', '.env.*', '*.{crt,pem}']`). Only users explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected, and only files in the immediate Vite project root folder could be exposed. This issue is fixed in vite@4.3.9, vite@4.2.3, vite@4.1.5, vite@4.0.5, vite@3.2.7, and vite@2.9.16. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:npm/vite@4.0.5 |
| purl |
pkg:npm/vite@4.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-mbnq-b7vj-jyhb |
|
| 8 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 9 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 10 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 11 |
| vulnerability |
VCID-vyjc-1f5b-p7cs |
|
| 12 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.0.5 |
|
| 1 |
| url |
pkg:npm/vite@4.1.5 |
| purl |
pkg:npm/vite@4.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-mbnq-b7vj-jyhb |
|
| 8 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 9 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 10 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 11 |
| vulnerability |
VCID-vyjc-1f5b-p7cs |
|
| 12 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.1.5 |
|
| 2 |
| url |
pkg:npm/vite@4.2.3 |
| purl |
pkg:npm/vite@4.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-mbnq-b7vj-jyhb |
|
| 8 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 9 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 10 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 11 |
| vulnerability |
VCID-vyjc-1f5b-p7cs |
|
| 12 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.2.3 |
|
| 3 |
| url |
pkg:npm/vite@4.3.9 |
| purl |
pkg:npm/vite@4.3.9 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-mbnq-b7vj-jyhb |
|
| 8 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 9 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 10 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 11 |
| vulnerability |
VCID-vyjc-1f5b-p7cs |
|
| 12 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.3.9 |
|
|
| aliases |
CVE-2023-34092, GHSA-353f-5xf4-qw67
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n143-1uka-s3eg |
|
| 9 |
|
| 10 |
|
| 11 |
| url |
VCID-t716-h35b-9kf2 |
| vulnerability_id |
VCID-t716-h35b-9kf2 |
| summary |
Vite has an `server.fs.deny` bypass with an invalid `request-target`
The contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-32395, GHSA-356w-63v5-8wf4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-t716-h35b-9kf2 |
|
| 12 |
| url |
VCID-vyjc-1f5b-p7cs |
| vulnerability_id |
VCID-vyjc-1f5b-p7cs |
| summary |
Vite's `server.fs.deny` did not deny requests for patterns with directories.
[Vite dev server option](https://vitejs.dev/config/server-options.html#server-fs-deny) `server.fs.deny` did not deny requests for patterns with directories. An example of such a pattern is `/foo/**/*`. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:npm/vite@4.5.3 |
| purl |
pkg:npm/vite@4.5.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-kb9w-txmc-pbhq |
|
| 8 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 9 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 10 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 11 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@4.5.3 |
|
| 1 |
| url |
pkg:npm/vite@5.0.13 |
| purl |
pkg:npm/vite@5.0.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.0.13 |
|
| 2 |
| url |
pkg:npm/vite@5.1.7 |
| purl |
pkg:npm/vite@5.1.7 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 8 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 9 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 10 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.1.7 |
|
| 3 |
| url |
pkg:npm/vite@5.2.6 |
| purl |
pkg:npm/vite@5.2.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-6cep-dhsy-qkhg |
|
| 1 |
| vulnerability |
VCID-b2m1-kmdu-ykgt |
|
| 2 |
| vulnerability |
VCID-ccy3-s9ra-uub9 |
|
| 3 |
| vulnerability |
VCID-cwjw-gp95-5uad |
|
| 4 |
| vulnerability |
VCID-gdv1-n78f-tud7 |
|
| 5 |
| vulnerability |
VCID-gefx-xng3-k3f4 |
|
| 6 |
| vulnerability |
VCID-jxyb-k93s-g3e8 |
|
| 7 |
| vulnerability |
VCID-kb9w-txmc-pbhq |
|
| 8 |
| vulnerability |
VCID-na8b-yqpp-p7fj |
|
| 9 |
| vulnerability |
VCID-q59b-2z2s-mfbt |
|
| 10 |
| vulnerability |
VCID-t716-h35b-9kf2 |
|
| 11 |
| vulnerability |
VCID-zn73-3dmx-vye4 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:npm/vite@5.2.6 |
|
|
| aliases |
CVE-2024-31207, GHSA-8jhw-289h-jh2g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vyjc-1f5b-p7cs |
|
| 13 |
|